3
3 Connect Objectives What are you trying to achieve? Risks What might thwart our efforts? Controls How can we manage risk?

4
4 Internal Control Operations Reporting Compliance Effectiveness Efficiency Safeguarding assets Reliability Timeliness Transparency With regulatory environment INTERNAL CONTROL is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to: Management has a fundamental responsibility to develop and maintain effective internal control.

5
5 Internal Control Continuous Effected by people Able to provide reasonable assurance Adaptable Built into operations Not one single event Dynamic “Only you can prevent forest fires” Not absolute assurance To the entire entity or to a particular division, business process, etc. INTERNAL CONTROLS are

7
7 COSO Framework What are the five integrated components of internal control?

8
8 Updated COSO Framework Reflective of the current environment Applicable to more business objectives Integrated approach to addressing organization-wide objectives Flexible and customizable Principles-based rather than Rules-based 17 principles – formalize fundamental concepts to help Specify objectives Assess risks Deploy controls Designed to help address objectives across the organization E.g., addressing financial reporting fraud might help address compliance objectives Key : Ramp it up in the “right” areas How to define right areas? Risk assessment.

9
9 Updated COSO Framework 5 integrated components The COSO “cube” Along the 3 main objectives At all levels of the organization

10
10 COSO cube – 5 Integrated Components 1. Control Environment The set of standards, processes, and structures that provide the basis for carrying out internal control Comprises integrity and ethical values of the organization The Board and Senior Management - and you ! Establish tone at the top Establish expected standards of conduct and reinforce expectations Parameters enable the Board to carry out its governance oversight responsibilities University tone at the top: Policy 804, Standards of Ethical ConductPolicy 804, Standards of Ethical Conduct

12
12 COSO cube – 5 Integrated Components The Control Environment should ensure controls are in place, covering areas such as: Hiring practices Training programs Whistleblower policies Code of Ethics Clear lines of responsibility and authority Etc. As part of our regular business processes, we should continually monitor and update the Control Environment for dynamic changes

13
13 COSO cube – 5 Integrated Components Difference between Compliance v. Integrity Strategy: A ‘Compliance Strategy’ tries to prevent violations of regulations and self-interested behavior by employees by imposing standards of conduct that are intended to compel acceptable behavior. An ‘Integrity Strategy’ seeks to create conditions that support right action by communicating the values and vision of the organization, aligning the standards of employees with those of the organization, and relying on the whole management team, not just lawyers and compliance officers.

14
14 COSO cube – 5 Integrated Components The Control Environment should be documented: Process documentation/ controls Determine extent of existing documentation; leverage this Create new if no documentation exists Update for changes in operations Types of documentation that can be used: Process Narratives Organizational charts Flowcharts Questionnaires Memorandums Checklists

15
15 COSO cube – 5 Integrated Components 2. Risk Assessment Involves a dynamic and iterative process for identifying and assessing risks The Board and Senior Management (and you!) Establish objectives linked at different levels of the entity Must take holistic approach – look at the full organization Apply internal control to achieve multiple objectives Prevent domino effects, e.g., weakness in financial reporting that jeopardizes operations Establish risk tolerances Increasingly important when resources are constrained Risk: the possibility that an event will occur and adversely affect the achievement of objectives.

16
16 COSO cube – 5 Integrated Components Risk Management A process applied in a strategic setting and across the entity, designed to identify and manage risks to stay within risk appetite/tolerance level, to provide reasonable assurance about achieving entity goals and objectives. Risk Assessment An element of internal control within the risk management process that enables management to identify and assess key risks to achieving its objectives; this forms the basis on which control activities are determined.

22
22 COSO cube – 5 Integrated Components Control Activities If a weakness or limitation exists within the control environment, a compensating control may be relied upon to mitigate the risk Can be preventive or detective Example: A unit does not have the staff resources to establish an adequate segregation of duties. Potential compensating controls could include: o Automation of certain transaction data that cannot be altered by the staff o Manager review of detailed summary reports of the transactions initiated by the staff o Peer staff and/or manager selects a sample of transactions and vouches back to supporting documentation

24
24 COSO cube – 5 Integrated Components 4. Information and Communication Information is necessary to carry out internal control responsibilities to support achievement of objectives Communication: the continual, iterative process of providing, sharing, and obtaining necessary information Internal and external Information should be timely, accessible, and allow for successful control actions Key: To communicate the right information to the right people at the right time

28
28 COSO cube – 5 Integrated Components Monitoring/Validating Controls Deficiency in Design – A critical control is not properly designed, i.e., even if the control operates as designed, the control objective is not always met. When validating control design (determining effectiveness):  Consider various factors ( how control is performed, who performs the control, what data/reports used in performing control, what physical evidence is produced from the control)  Work off of process narratives, flowcharts, and any other relevant material obtained and/or completed in the documentation stage  Be aware that application controls are either programmed control procedures (e.g., edits, matching, reconciliation routines) or computer processes (e.g., calculations, on-line entries, automatic system interfaces).

29
29 COSO cube – 5 Integrated Components Deficiency in Operation – A properly designed control does not operate as intended, or the person performing the control does not possess the necessary authority or qualification to perform the control effectively.  Testing operating effectiveness includes, in part:  Reviewing supporting documentation for proper authorization,  Reviewing the results of periodic reconciliations, and  Reviewing policies and procedures to determine if they are being followed.  Use appropriate sampling techniques as necessary. Monitoring/Validating Controls

30
30 COSO cube – 5 Integrated Components Documentation should be maintained for: The evaluation of internal control at the entity and process levels What testing has been performed Identified deficiencies Documentation must contain sufficient information to: Identify who performed the work and when Enable understanding of the nature, timing, extent, and results of the procedures performed Enable understanding of the evidence obtained Support the conclusions reached Monitoring/Validating Controls

31
31 Limitations of Internal Control Even an effective system of internal control can experience a failure. Limitations may result from: Suitability of established objectives Reality that human judgment in decision making can be faulty and subject to bias Breakdowns that can occur because of human failures such as simple errors Ability of management to override internal control Ability of management, other personnel, and/or third parties to circumvent controls through collusion External events beyond the University’s control Again, internal control provides reasonable, not absolute, assurance of achieving objectives.

32
32 Practical Implications How can you incorporate internal controls within your current processes?

33
33 Connect Objectives What are you trying to achieve? Risks What might thwart our efforts? Controls How can we manage risk?

35
35 Identifying Key Controls Identifying Key Control Activities Identify and document all controls associated with key processes Identify the characteristics of controls that, when functioning as intended, would provide the evaluator with a ‘level of comfort’ to conclude that the control is effective with respect to a given risk Consider control effectiveness by focusing on: Directness and clarity of the control technique Frequency with which the control technique is applied Experience of personnel performing the control Procedures followed when a control identifies an exception condition

36
36 Identifying Key Controls Understanding Control Design For internal controls over financial reporting, consider the following questions: 1.Will the control techniques help achieve the control objectives? 2.Will the controls mitigate risk to an acceptable level? 3.How do the related control objectives prevent or detect a potential misstatement? 4.How do potential misstatements affect the related financial report line item?

37
37 Identifying Key Controls Common Basic Internal Control Principles Establish Responsibility Assign each task to only one person Segregate Duties Don’t make one employee responsible for all parts of a process Restrict Access Don’t provide access to systems, information, assets, etc. unless needed to complete assigned responsibilities Document Procedures and Transactions Prepare documents to show that activities have occurred Independently verify Check others’ work